A number of malicious spam campaigns have been detected simultaneously delivering malware – including ransomware, banking Trojans, and backdoors – to victims across different geographical regions. These campaigns are interesting because they all use lookalike domains and stolen branding from a variety of government agencies, each specifically tied to the countries being targeted to lend a sense of local legitimacy and urgency to their messages. They have been targeting IT services, manufacturing, and healthcare organizations using these spoofed government agencies to convince users to read these emails and open their attachments. While the source of these spam campaigns is still being analyzed, some threat researchers have asserted that these campaigns are being launched and coordinated by a single criminal organization.
In the United States, these cybercriminals are sending emails pretending to be from the United States Postal Service (USPS), with a malicious Word document named 'USPS_Deliver.doc' attached. In addition to describing the attachment as urgent, the text also tricks the user into thinking the document is encrypted and must be opened to be read. But as one would expect, opening the document enables a malicious macro that then installs the IceID banking Trojan on the victim’s computer and attempts to steal their online banking credentials.
In the campaign targeting Germany, the threat actors masquerade as the Bundeszentralamt fur Steuern, the German Ministry of Finance. In this case, the actors are using a commercially licensed software tool, Cobalt Strike. This tool emulates the type of backdoor framework used by the penetration tool, Metasploit. Once again, the threat actor tries to convince the recipient that the attached malicious document is legitimate and important, and that the only way to view it is to enable the content.
In the campaign targeting Italy, the authors impersonate the Italian Revenue Agency, Agenzia Delle Entrate. In this campaign, they pretend that the email and attached letter are about new tax and revenue guidelines that businesses and consumers need to follow, and recommends they open the attachment – which, of course, is malicious.
Masquerading as a government agency is especially effective at tricking unsuspecting users into opening malicious attachments. In this unusual campaign, the bad actors have developed elaborate messaging, look-alike websites, and other content for a variety of agencies from different countries. They then use targeted strategies to ensure that individuals included in a spam campaign are from those respective countries, though some cross-over should not tipoff any victims as the agencies for each campaign are unique.
Users must be suspect when they see email from government agencies, as they generally only use traditional postal systems to interact with citizens. This is especially true for information reportedly about tax refunds, as governments will almost never send this type of sensitive communication via email, certainly not in the United States. Cybercriminals are smart, however, and know that these social engineering tactics work because many of their victims are unaware of these communications policies.
As always, be wary and never open an unexpected attachment. If you are ever in doubt, the best course is to call the agency directly to confirm that the email is legitimate.
FortiGuard Labs has the following detections in place to address these spam campaigns.
FortiGuard labs has rated all of the domains related to the phishing emails identified in this report as Spam URLs/Malicious Websites in our category.
FortiMail identifies and blocks these social engineering campaigns with the following AV signatures:
Read about the FortiGuard Security Rating Service, which provides security audits and best practices.